topic Re: How to route same source to multiple indexers and their respective indexes ? in Getting Data In

How to route same source to multiple indexers and their respective indexes ?

dm1 — Thu, 22 Jul 2021 00:39:20 GMT

I have two data sources (Syslog and Netflow) which I am collecting on a dedicated host, where I have installed a Universal Forwarder. It is acting as an intermediate forwarder.

I have to route this data to Indexers of two different organisations on their respective indexes.

E.g

OrgA
1. Syslog needs to go to index=syslog_A
2. Netflow needs to go to index=netflow_A
3. Indexer is IndexerA:9997
OrgB
1. Same Syslog as above needs to go to index=syslog_B
2. Same Netflow as above needs to go to index=netflow_B
3. Indexer is IndexerB:9997
MyOrg
1. Only Splunk internal logs to IndexerMyOrg

Because this routing is based on metadata, I believe, I should be able to achieve this using universal forwarder.

Can someone please advise how I can achieve this ?

Re: How to route same source to multiple indexers and their respective indexes ?

venkatasri — Thu, 22 Jul 2021 01:42:21 GMT

Hi @dm1

_TCP_ROUTING setting in inputs conf works for your case. and you need to configure two tcpout indexer groups in outputs conf. Your config might look like as follows,

#inputs.conf

[monitor://<your_syslog_file_path>] index=indexA sourcetype=<syslog_st> _TCP_ROUTING = indexerA-group [monitor://<your_netflow_file_path>] index=indexA sourcetype=<netflow_st> _TCP_ROUTING = indexerA-group [monitor://<your_syslog_file_path>] index=indexB sourcetype=<syslog_st> _TCP_ROUTING = indexerB-group [monitor://<your_netflow_file_path>] index=indexB sourcetype=<netflow_st> _TCP_ROUTING = indexerB-group

#outputs.conf

[tcpout:indexerA-group] server=<indexerA-host>:9997 [tcpout:indexerB-group] server=<indexerB-host>:9997

---

An upvote would be appreciated and Accept solution if this reply helps!

Re: How to route same source to multiple indexers and their respective indexes ?

dm1 — Thu, 22 Jul 2021 01:50:53 GMT

Hi @venkatasri , thanks for your reply.

but with the same monitor stanza, wouldn't Splunk just choose one setting and only forward to one indexer based on precedence ?

Re: How to route same source to multiple indexers and their respective indexes ?

venkatasri — Thu, 22 Jul 2021 01:59:01 GMT

@dm1 I too doubt about that as fishbucket ignores other monitors as duplicates just give a try! if not working then You might need HF to actually achieve in that case.

Can you follow this link - Solved: One source to two indexes - Splunk Community

---

An upvote would be appreciated if this reply helps!

Re: How to route same source to multiple indexers and their respective indexes ?

dm1 — Thu, 22 Jul 2021 02:26:18 GMT

From this link - https://docs.splunk.com/Documentation/Splunk/8.2.1/Forwarding/Routeandfilterdatad#Route_inputs_to_specific_indexers_based_on_the_data_input, it seems possible to route to two different indexers, but my only main challenge is assigning two indexes to same source

Re: How to route same source to multiple indexers and their respective indexes ?

venkatasri — Thu, 22 Jul 2021 02:40:28 GMT

@dm1 That's right indexers is not a problem can be done in UF.

indexes setting you need HF help.